Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised.…

Read More

Last updated at Tue, 27 Feb 2024 17:17:29 GMT

Note: While Rapid7 did not definitively tie the attacker behavior in this blog to a specific CVE at time of publication, as of December 2023 we have observed multiple instances of exploitation of Adobe ColdFusion CVE-2023-26360 for initial access, as well as exploitation of ColdFusion CVE-2023-29300, CVE-2023-29298, and CVE-2023-38203.…

Read More

In November 20211 and February 2022,2 Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the internet. Following these changes, CrowdStrike Intelligence and the CrowdStrike Falcon® Complete managed detection and response team observed eCrime adversaries that had previously relied on macro execution for malware delivery adapt their tactics, techniques and procedures (TTPs). …

Read More
Executive Summary

Since our initial report on the ransomware group known as BianLian, we have continued to keep an eye on their activities. Unfortunately, and sadly not surprisingly, the group continues to operate and add to their ever-growing list of victims. Having continued to research BianLian for the past six months or so, we felt the time was right to share an update and some of our findings with the larger community.…

Read More

MedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically gain access to victims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).

Once Threat Actors (TAs) gain access to the network, they encrypt the victim’s data and leave a ransom note with instructions on how victims can communicate with the TAs in every folder while encrypting files.…

Read More

Summary

NOBELIUM, aka APT29, is a sophisticated, Russian state-sponsored threat actor targeting Western countries. At the beginning of March, BlackBerry researchers observed a new campaign targeting European Union countries; specifically, its diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.…

Read More

ESET researchers discovered a campaign that we attribute with high confidence to the APT group Tick. The incident took place in the network of an East Asian company that develops data-loss prevention (DLP) software.

The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the company’s customers.…

Read More
Executive Summary

Just nine months after discovering ZuoRAT – a novel malware targeting small office/home office (SOHO) routers – Lumen Black Lotus Labs® identified another, never-before-seen campaign involving compromised routers. This is a complex campaign we are calling “Hiatus”. It infects business-grade routers and deploys two malicious binaries, including a Remote Access Trojan (RAT) we’re calling HiatusRAT, and a variant of tcpdump that enables packet capture on the target device.…

Read More

Affected platforms: WindowsImpacted parties: Any organizationImpact: Cryptojacks vulnerable systemsSeverity level: Critical

Between January and February 2023, FortiGuard Labs observed a payload targeting an exploitable Oracle Weblogic Server in a specific URI. This payload extracts ScrubCrypt, which obfuscates and encrypts applications and makes them able to dodge security programs.…

Read More

Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware that has been active since at least 2007. Since the end of January 2023, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution.…

Read More
Executive summary

In 2021, Check Point Research published a report on a previously undisclosed toolset used by Sharp Panda, a long-running Chinese cyber-espionage operation targeting Southeast Asian government entities. Since then, we have continued to track the use of these tools across several operations in multiple Southeast Asian countries, in particular nations with similar territorial claims or strategic infrastructure projects such as Vietnam, Thailand, and Indonesia.…

Read More

Figure 1 (image from freepik.com and flaticon.com)

The current economic climate globally is grim because of the ongoing recession. In this environment, job-themed emails have become a prime target for cybercriminals looking to exploit vulnerable individuals.

Trellix Advanced Research Center has observed cybercriminals using phishing and malware campaigns to target job seekers in a bid to steal sensitive information.…

Read More

SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft | Sysdig

Show Table of Contents + Hide −

The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.…

Read More
Introduction

Attackers are increasingly using OneNote documents to distribute malware, due to the heightened security measures against macro-based attacks and the widespread adoption and popularity of the platform. Analyzing several related case studies, this article showcases the obfuscation techniques used by threat actors to bypass threat detection measures and deceive users into executing malware on their systems via OneNote.…

Read More